Inspection Engine Overview; When To Use Application Protocol Inspection; How Inspection Engines Work - Cisco 7604 Configuration Manual

Inspection Engine Overview

•
•
•
•
•
•
•
Inspection Engine Overview
This section includes the following topics:
•
•
•

When to Use Application Protocol Inspection

When a user establishes a connection, the FWSM checks the packet against access lists, creates an
address translation, and creates an entry for the session in the accelerated path, so that further packets
can bypass time-consuming checks. However, the accelerated path relies on predictable port numbers
and does not perform address translations inside a packet.
Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to
negotiate dynamically-assigned port numbers.
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the FWSM.
If you use applications like these, then you need to enable application inspection.
When you enable application inspection for a service that embeds IP addresses, the FWSM translates
embedded addresses and updates any checksum or other fields that are affected by the translation.
When you enable application inspection for a service that uses dynamically assigned ports, the FWSM
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.

How Inspection Engines Work

As illustrated in
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-2
Skinny (SCCP) Inspection, page 22-89
SMTP and Extended SMTP Inspection, page 22-94
SNMP Inspection, page 22-97
SQL*Net Inspection, page 22-99
Sun RPC Inspection, page 22-99
TFTP Inspection, page 22-104
XDMCP Inspection, page 22-104
When to Use Application Protocol Inspection, page 22-2
Inspection Limitations, page 22-3
Default Inspection Policy, page 22-4
Figure 22-2, the FWSM uses three databases for its basic operation:
Access lists—Used for authentication and authorization of connections based on specific networks,
hosts, and services (TCP/UDP port numbers).
Inspections—Contains a static, predefined set of application-level inspection functions.
Connections (XLATE and CONN tables)—Maintains state and other information about each
established connection. This information is used by the Adaptive Security Algorithm and
cut-through proxy to efficiently forward traffic within established sessions.
Chapter 22 Applying Application Layer Protocol Inspection
OL-20748-01